Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-06-2024 07:44
Static task
static1
Behavioral task
behavioral1
Sample
0741a1830a1533d499c2038768d3deae_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
0741a1830a1533d499c2038768d3deae_JaffaCakes118.exe
-
Size
192KB
-
MD5
0741a1830a1533d499c2038768d3deae
-
SHA1
b91e7a8b69a4c8e6887ea2302fa44ee74c29b681
-
SHA256
06827da10ded8e21904644041887240a152352a2709a326bab95e637866ccb43
-
SHA512
3ed8b51527f4b67f8e3bfa6199c835fab1d56f6490ad5b17ab684f75d1ac2a6f39888c2ed345cd47e850e61e40ff76ccd024d1b12019477b2807c100039f02bd
-
SSDEEP
3072:naDiCoKnWncEiArFyThA+l3qMbcE701jPh8/4Oha:aDRoKnWncsrFyTm+l35cEYpGAO
Malware Config
Signatures
-
Gh0st RAT payload 4 IoCs
resource yara_rule behavioral2/files/0x00090000000233f0-7.dat family_gh0strat behavioral2/memory/2396-11-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat behavioral2/memory/3992-16-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat behavioral2/memory/2284-21-0x0000000020000000-0x0000000020027000-memory.dmp family_gh0strat -
Deletes itself 1 IoCs
pid Process 1232 fvgmrlwrlx -
Executes dropped EXE 1 IoCs
pid Process 1232 fvgmrlwrlx -
Loads dropped DLL 3 IoCs
pid Process 2396 svchost.exe 3992 svchost.exe 2284 svchost.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\tvlxataioa svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\tejljnumoj svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\tnxerqwkbe svchost.exe File created C:\Windows\SysWOW64\tnxerqwkbe svchost.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Google\%SESSIONNAME%\lonkx.cc3 fvgmrlwrlx -
Program crash 3 IoCs
pid pid_target Process procid_target 3184 2396 WerFault.exe 82 1048 3992 WerFault.exe 86 3040 2284 WerFault.exe 89 -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeRestorePrivilege 1232 fvgmrlwrlx Token: SeBackupPrivilege 1232 fvgmrlwrlx Token: SeBackupPrivilege 1232 fvgmrlwrlx Token: SeRestorePrivilege 1232 fvgmrlwrlx Token: SeBackupPrivilege 2396 svchost.exe Token: SeRestorePrivilege 2396 svchost.exe Token: SeBackupPrivilege 2396 svchost.exe Token: SeBackupPrivilege 2396 svchost.exe Token: SeSecurityPrivilege 2396 svchost.exe Token: SeSecurityPrivilege 2396 svchost.exe Token: SeBackupPrivilege 2396 svchost.exe Token: SeBackupPrivilege 2396 svchost.exe Token: SeSecurityPrivilege 2396 svchost.exe Token: SeBackupPrivilege 2396 svchost.exe Token: SeBackupPrivilege 2396 svchost.exe Token: SeSecurityPrivilege 2396 svchost.exe Token: SeBackupPrivilege 2396 svchost.exe Token: SeRestorePrivilege 2396 svchost.exe Token: SeBackupPrivilege 3992 svchost.exe Token: SeRestorePrivilege 3992 svchost.exe Token: SeBackupPrivilege 3992 svchost.exe Token: SeBackupPrivilege 3992 svchost.exe Token: SeSecurityPrivilege 3992 svchost.exe Token: SeSecurityPrivilege 3992 svchost.exe Token: SeBackupPrivilege 3992 svchost.exe Token: SeBackupPrivilege 3992 svchost.exe Token: SeSecurityPrivilege 3992 svchost.exe Token: SeBackupPrivilege 3992 svchost.exe Token: SeBackupPrivilege 3992 svchost.exe Token: SeSecurityPrivilege 3992 svchost.exe Token: SeBackupPrivilege 3992 svchost.exe Token: SeRestorePrivilege 3992 svchost.exe Token: SeBackupPrivilege 2284 svchost.exe Token: SeRestorePrivilege 2284 svchost.exe Token: SeBackupPrivilege 2284 svchost.exe Token: SeBackupPrivilege 2284 svchost.exe Token: SeSecurityPrivilege 2284 svchost.exe Token: SeSecurityPrivilege 2284 svchost.exe Token: SeBackupPrivilege 2284 svchost.exe Token: SeBackupPrivilege 2284 svchost.exe Token: SeSecurityPrivilege 2284 svchost.exe Token: SeBackupPrivilege 2284 svchost.exe Token: SeBackupPrivilege 2284 svchost.exe Token: SeSecurityPrivilege 2284 svchost.exe Token: SeBackupPrivilege 2284 svchost.exe Token: SeRestorePrivilege 2284 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5036 wrote to memory of 1232 5036 0741a1830a1533d499c2038768d3deae_JaffaCakes118.exe 81 PID 5036 wrote to memory of 1232 5036 0741a1830a1533d499c2038768d3deae_JaffaCakes118.exe 81 PID 5036 wrote to memory of 1232 5036 0741a1830a1533d499c2038768d3deae_JaffaCakes118.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\0741a1830a1533d499c2038768d3deae_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0741a1830a1533d499c2038768d3deae_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\users\admin\appdata\local\fvgmrlwrlx"C:\Users\Admin\AppData\Local\Temp\0741a1830a1533d499c2038768d3deae_JaffaCakes118.exe"a -sc:\users\admin\appdata\local\temp\0741a1830a1533d499c2038768d3deae_jaffacakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1232
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2396 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 10882⤵
- Program crash
PID:3184
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2396 -ip 23961⤵PID:2160
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3992 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 11002⤵
- Program crash
PID:1048
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3992 -ip 39921⤵PID:2800
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2284 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 10962⤵
- Program crash
PID:3040
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2284 -ip 22841⤵PID:676
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21.8MB
MD557279d3bab0b3bc0839959598d52e467
SHA17268377ecb93a5c168c91b76753790be336d51af
SHA256b2471e39a552370a410c6b1a9aa7c000515f2589a767f4911d1ef646f2246fd2
SHA512e3d50f0e2096db13e0eea8c5b4c8e49a810c7d94d68aa7bd4ffb1868555694bae4942fbca71c8fb42142cce2d8c616e46610dfae3b32f3aad5ec76fa7d0358b2
-
Filesize
202B
MD573295fb61f4c88eb0551b7286c9bb0fd
SHA1717a095f8056741580bd3ca57d11aea871ae4f41
SHA256c894458e86df47dc4b1bce236acfdbe82db28588065afb04b367331ef64e896e
SHA51259182c85d106797c99c1e1bc45d356a942e90827b1020a2441181ba448b2abcecddc3198b9e4c16344164c984676babb96ffa39f6aaefc2c553d17bdf19a671e
-
Filesize
303B
MD5f7041a0ff8d22cdccf139f62fb1dedba
SHA101f0ceabcfd99ddf324c8b10e145a0de243959b5
SHA25672db2ec91a5032efa93ae9f8fea33741c8a76b5b1c9dd33cd526e50ba86785d8
SHA512d9b133f59517af74f9337f5f6faa63a53c4de3c62db9da24fe975665848b2d42b94b07c12032ac43066454ba29f8fe7d7daf6ca24c7b10a54303ce5f355e5530
-
Filesize
24.0MB
MD57d16052214017619898ca57229879e7a
SHA1987ba1f82b734297e4b5a895c281240d202a1508
SHA256b5da27a5e8479982c32e62ac56a1f0742badb9a09f0851e8fe67ab3919ce94d4
SHA5124d317c2dc991813da757c41728ac0564c291e8b963d6705bda6964d98993f39c56bca9e182cd090350b184bbd5ff660479e958a6fcd908ab1662c3a6df7024f8